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Description 

[0001] The invention relates to electronic printers and 
printing systems, and to a security system for electronic 
printers and printing systems . 
[0002] In particular, the invention relates to a security 
process for an electronic reprographic printer, compris- 
ing the steps of: providing a security administrator; pro- 
viding a security profile with discrete security levels for 
different classes of users under the control of said se- 
curity administrator; giving said administrator power to 
assign user identification numbers, and enable use of 
passwords by said users; providing user file security by 
assigning a non-removable security label to a user's 
files which prevents printing or displaying of said files 
without said security label. 

[0003] Further, the invention also relates to an elec- 
tronic printing system having programming means ena- 
bling a user to program instructions for print jobs; a 
source of image signals; memory means for storing said 
print jobs together with said image signals; and a printer 
for producing prints from said image signals in accord- 
ance with said instructions. 

[0004] Such method and apparatus is known from L 
J.FRAIM: "Secure Office Management System" pub- 
lished in proceedings of the Fall Joint Computer Con- 
ference, 1987, October 25-29, INFOMART; Dallas, Tex- 
as, pages 421-426. 

[0005] In conventional light/lens copiers, document 
security has generally been grounded on physical pos- 
session of the document originals and the copies made 
while copier access and use has been based on billing 
considerations. In the case of document security, secu- 
rity for a user's originals and copies was attended to by 
the fact that the originals from which the copies were 
made as well as the copies themselves normally re- 
mained in the possession and control of the owner or in 
the hands of someone known to the owner and trusted 
to make copies. Control over copier access on the hand, 
if it existed at all, was generally based on assuring that 
the person using the copier and making copies was cor- 
rectly billed or charged for the copies made. This for ex- 
ample led in the past to development and introduction 
of copy charge counters or meters which limited use of 
a copier to those persons having an account against 
which the cost of the copies could be charged. But gen- 
erally, in the copier environment, little or no attention 
was given to security, and particularly to the security of 
the owner's files. 

[0006] With the advent of electronic printing systems 
however, where the image is in the form of electrical sig- 
nals or pixels, a user's electronic files, programs, etc., 
which may be confidential or personal in nature, are at 
least temporarily stored in the system. As a result, the 
owner's files may be available to anyone having access 
to the system for reading, copying, tampering, etc. A 
similar situation occurs with data that is transmitted to a 
communication channel to or from the system. Anyone 



having access to the system can intercept and gain ac- 
cess to the transmitted data for his own purposes. 
[0007] In the prior art, security in the past has focused 
on computer systems as evidenced by U.S. Patent No. 

5 4,713,753 to Boebert et al wherein there is disclosed a 
secure system architecture for a data processor in which 
a predefined security policy, stored in a secure proces- 
sor, uses format control to prevent alteration of a pro- 
gram. U.S. Patents Nos. 4,525,780 to Bratt et al and 

10 4,498,1 32 to Ahlstrom et al (which relies on U.S. Patent 
No. 4,525,780 for its description) disclose a data 
processing system having an addressing system for 
processing object based information with a protection 
scheme for controlling access rights to the information. 

is And U.S. Patent No. 4,799,258 to Davies discloses a 
dual key system for controlling access to computers to 
assure a tamper resistant store. 
[0008] Further in computer applications, a User Iden- 
tification Code (UIC) technique has been used to control 

20 file access. In this technique, two numbers are provided 
per user, a group number and a member number. Each 
user accordingly is represented as a member of a group 
which may span a number of other users with a common 
need to share information. Further, each file has certain 

25 attributes associated with it, such as the UIC of the own- 
er and the protection settings controlling READ and 
WRITE access. The UIC system however is limited in 
the levels of security that it can provide and has limited 
extensibility. 

30 [0009] A second prior art technique of the type dis- 
cussed in U.S. Patents Nos. 4,498,132 and 4,525,780 
above is based upon access lists where each operation 
on a file is controlled by a list maintained by the file's 
owner of users who are granted or denied access. The 

35 list additionally may contain pre-defined group names 
and object enablements or restrictions. The disadvan- 
tages of this technique are the large amount of memory 
required and large amounts of processing overhead 
needed to maintain and verify the list. 

40 [0010] In contrast, the present invention provides a 
security process for an electronic reprographic printer 
of the above mentioned type, which is characterized in 
that, in the step of giving said administrator power, user 
identification numbers are assigned at less secured 

45 sites and use of passwords by said users is enabled at 
more secure sites; in the step of providing user file se- 
curity, the non-removable security label is assigned by 
said users; and in that said security process comprises 
the further steps: providing a site administrator; giving 

50 said site administrator control over user job program- 
ming options for said printer; isolating functions of said 
site administrator from user functions by assigning spe- 
cial identification number and password to said site ad- 
ministrator to prevent users from accessing said site ad- 

55 ministrator functions; and providing user file security by 
enabling users, to protect user files by user passwords, 
and to limit access of others to user files. 
[0011] Further, the present invention provides an 
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electronic printing system of the above mentioned type 
characterized by system lockout means for controlling 
programming of print jobs on said system, said lockout 
means being responsive to input of a preset user iden- 
tification number and user name to permit said user to 
program instructions for print jobs; first means to limit 
the source of said identification number to a preset iden- 
tification number source for said system, said first 
means enabling said source to assign special identifi- 
cation numbers to users enabling identified users to pro- 
gram instructions for print jobs on said system; second 
means to allow at least some of said users to provide 
personal user passwords to limit access of others to a 
user's print jobs in said memory means; and third means 
to allow individual users to limit the ability of other users 
having access to said individual users' print jobs to 
change said print jobs following access. 
[0012] In particular, the present invention provides a 
security process for an electronic reprographic printer, 
comprising the steps of: providing a security administra- 
tor; providing a security profile with discrete security lev- 
els for different classes of users under the control of the 
security administrator; giving the administrator power to 
assign user identification numbers at less secured sites, 
and enable use of passwords by the users at more se- 
cure sites; providing a site administrator; giving the site 
administrator control over user job programming options 
for the printer; isolating functions of the site administra- 
tor from user functions by assigning special identifica- 
tion number and password to the site administrator to 
prevent users from accessing the site administrator 
functions; and providing user file security by enabling 
users, to protect user files by user passwords, to limit 
access of others to user files, and to assign a non-re- 
movable security label to a user's files which prevents 
printing or displaying of the files without the security la- 
bel. 

IN THE DRAWINGS: 
[0013] 

Figure 1 is a view depicting an electronic printing 
system incorporating the security system of the 
present invention; 

Figure 2 is a block diagram depicting the major el- 
ements of the printing system shown in Figure 1; 
Figure 3 is a plan view illustrating the principal me- 
chanical components of the printing system shown 
in Figure 1; 

Figure 4 is a schematic view showing certain con- 
struction details of the document scanner for the 
printing system shown in Figure 1; 
Figures 5A, 5B, and 5C comprise a schematic block 
diagram showing the major parts of the control sec- 
tion for the printing system shown in Figure 1; 
Figure 6 is a block diagram of the Operating Sys- 
tem, together with Printed Wiring Boards and 



shared line connections for the printing system 
shown in Figure 1; 

Figure 7 is a view depicting an exemplary job pro- 
gramming ticket and job scorecard displayed on the 
5 User Interface (Ul) touchscreen of the printing sys- 
tem shown in Figure 1; 

Figure 8 is a view of the User Interface touchscreen 
on which is displayed a SECURITY card file having 
"Users", "Security Profile", and "Access Lists"icons, 
10 with the "Users" icon actuated to display a listing of 
users by name; 

Figure 9 is a view in which a user is selected by 
highlighting and opening a SYSTEM ADMI Nl STRA- 
TOR window providing processing selections; 
15 Figure 10 is a view displaying the User Profile for 
the user selected; 

Figure 11 is a view displaying the "Privileges" card 
file for the user selected; 

Figure 12 is a view showing the "Delete User?" op- 

20 tions window opened; 

Figure 1 3 is a view showing the " Assign New Own- 
er" options window opened; 
Figure 14 is a view showing the user "Profile Op- 
tions" window opened to display the "New User 

25 Template" selections; 

Figure 15 is a view of the User Interface touch- 
screen showing the "New User Template" following 
selection; 

Figure 16 is a view showing the "Security Profile" 
30 card file for the site; 

Figure 1 7 is a view showing the"Activity Log" for the 
site; 

Figure 18 is a view showing the "Activity Log" in Fig- 
ure 17 with the "Audit Trail Options" window 

35 opened; 

Figure 19 is a view of the User Interface touch- 
screen depicting the "Access Lists" card file; 
Figure 20 is a view showing the "Access Lists"card 
file of Figure 1 9 with a file window opened to display 

^o list selections: 

Figure 21 is a view showing the "Access Lists"card 
file of Figure 19 with the "Delete List?" window 
opened; 

Figure 22 is a view showing the "Member Name" 
^5 file with names of members in a selected access list; 
Figure 23 is a view showing the "Remove from list" 
selection window for removing members from the 
selected access list; 

Figure 24 is a view showing the "Add Member" win- 
50 dow for adding a member's name to the access list 
selected; 

Figure 25 is a view showing the "Job Access Con- 
trol" card enabling a file owner to set the access 
rights to the owner's files; and 
55 Figure 26 is a plane view of a second embodiment 
in which the security system is externally adminis- 
tered. 
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[0014] Referring to Figures 1 and 2, there is shown 
an exemplary image printing system 2 for processing 
print jobs in accordance with the teachings of the 
present invention. Printing system 2 for purposes of ex- 
planation is divided into image input section 4, controller 
section 7, and printer section 8. In the example shown, 
image input section 4 has both remote and on-site im- 
age inputs, enabling system 2 to provide network,scan, 
and print sen/ices. Other system combinations may be 
envisioned such as a stand alone printing system with 
on-site image input (i.e., a scanner), controller, and 
printer; a network printing system with remote input, 
controller, and printer; etc. While a specific printing sys- 
tem is shown and described, the present invention may 
be used with other types of printing systems. For exam- 
ple, printer section 8 may instead use a different printer 
type such as ink jet, ionographic, etc. 
[0015] Referring particularly to Figures 2-4, for off-site 
image input, image input section 4 has a network 5 with 
a suitable communication channel such as a telephone 
line enabling image data in the form of image signals or 
pixels from one or more remote sources to be input to 
system 2 for processing. Where the Page Description 
Language (PDL) of the incoming imaging data is differ- 
ent than the PDL used by system 2, suitable conversion 
means (not shown) are provided. Other remote sources 
of image data such as streaming tape, floppy disk, etc. 
may be envisioned. 

[0016] For on-site image input, section 4 has a docu- 
ment scanner 6 with a transparent platen 20 on which 
documents 22 to be scanned are located. One or more 
linear arrays 24 are supported for reciprocating scan- 
ning movement below platen 20. Lens 26 and mirrors 
28, 29, 30 cooperate to focus array 24 on a line like seg- 
ment of platen 20 and the document being scanned ther- 
eon. Image data in the form of image signals or pixels 
from net 5 or array 24 are input to processor 25 for 
processing. After processing, the image signals are out- 
put to controller section 7. 

[0017] Processor 25 converts the analog image sig- 
nals output by array 24 to digital. Processor 25 further 
processes image signals as required to enable system 
2 to store and handle the image data in the form required 
to carry out the job programmed. Processor 25 also pro- 
vides enhancements and changes to the image signals 
such as filtering, thresholding, screening, cropping, 
scaling, etc. 

[0018] Documents 22 to be scanned may be located 
on platen 20 for scanning by automatic document han- 
dler (ADF) 35 operable in either a Recirculating Docu- 
ment Handling (RDH) mode or a Semi-Automatic Doc- 
ument Handling (SADH) mode. A manual mode includ- 
ing a Book mode and a Computer Forms Feeder (CFF) 
mode are also provided, the latter to accommodate doc- 
uments in the form of computer fanfold. For RDH mode 
operation, document handler 35 has a document tray 37 
in which documents 22 are arranged in stacks or batch- 
es. The documents 22 in tray 37 are advanced by vac- 



uum feed belt 40 and document feed rolls 41 and doc- 
ument feed belt 42 onto platen 20 where the document 
is scanned by array 24. Following scanning, the docu- 
ment is removed from platen 20 by belt 42 and returned 

s to tray 37 by document feed rolls 44. 

[0019] For operation in the SADH mode, a document 
entry slot 46 provides access to the document feed belt 
42 between tray 37 and platen 20 through which indi- 
vidual documents may be inserted manually for trans- 

10 port to platen 20. Feed rolls 49 behind slot 46 form a nip 
for engaging and feeding the document to feed belt 42 
and onto platen 20. Following scanning, the document 
is removed from platen 20 and discharged into catch 
tray 48. 

15 [0020] For operation in the CFF mode, computer 
forms material is fed through slot 46 and advanced by 
feed rolls 49 to document feed belt 42 which in turn ad- 
vances a page of the fanfold material into position on 
platen 20. 

20 [0021] Referring to Figures 2 and 3, printer section 8 
comprises a laser type printer and for purposes of ex- 
planation is separated into a Raster Output Scanner 
(ROS) section 87, Print Module Section 95, Paper Sup- 
ply section 107, and Finisher 120. ROS 95 has a laser 
25 gi, the beam of which is split into two imaging beams 
94. Each beam 94 is modulated in accordance with the 
content of an image signal input by acousto-optic mod- 
ulator 92 to provide dual imaging beams 94. Beams 94 
are scanned across a moving photoreceptor 98 of Print 
30 Module 95 by the mirrored facets of a rotating polygon 
1 00 to expose two image lines on photoreceptor 98 with 
each scan and create the latent electrostatic images 
represented by the image signal input to modulator 92. 
Photoreceptor 98 is uniformly charged by corotrons 1 02 
35 at a charging station preparatory to exposure by imaging 
beams 94. The latent electrostatic images are devel- 
oped by developer 104 and transferred at transfer sta- 
tion 1 06 to a print media 1 08 delivered by Paper Supply 
section 107. Media 108 as will appear may comprise any 
40 of a variety of sheet sizes, types,and colors. For transfer, 
the print media is brought forward in timed registration 
with the developed image on photoreceptor 98 from ei- 
ther a main paper tray 110 or from auxiliary paper trays 
112, or 114. The developed image transferred to the 
45 print media 108 is permanently fixed or fused by fuser 
116 and the resulting prints discharged to either output 
tray 118, or to finisher 120. Finisher 120 includes a 
stitcher 122 for stitching or stapling the prints together 
to form books and a thermal binder 124 for adhesively 
50 binding the prints into books. 

[0022] Referring to Figures 1 , 2 and 5, controller sec- 
tion 7 is, for explanation purposes, divided into an image 
input controller 50, User Interface (Ul) 52, system con- 
troller 54, main memory 56, image manipulation section 
55 58, and image output controller 60. 

[0023] The image data input from processor 25 of im- 
age input section 4 to controller section 7 is compressed 
by image compressor/ processor 51 of image input con- 
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trailer 50 on PWB 70-3. As the image data passes 
through compressor/processor 51, it is segmented into 
slices N scanlines wide, each slice having a slice point- 
er. The compressed image data together with slice 
pointers and any related image descriptors providing im- 
age specific information (such as height and width of the 
document in pixels, the compression method used, 
pointers to the compressed image data, and pointers to 
the image slice pointers) are placed in an image file. The 
image files, which represent different print jobs, are tem- 
porarily stored in system memory 61 which comprises 
a Random Access Memory or RAM pending transfer to 
main memory 56 where the data is held pending use. 
[0024] As best seen in Figure 1 , Ul 52 includes a com- 
bined operator controller/CRT display consisting of an 
interactive touchscreen 62, keyboard 64, and mouse 66. 
Ul 52 interfaces the operator with printing system 2, en- 
abling the operator to program print jobs and other in- 
structions, to obtain system operating information, in- 
structions, programming information, diagnostic infor- 
mation, etc. Items displayed on touchscreen 62 such as 
files and icons are actuated by either touching the dis- 
played item on screen 62 with a finger or by using mouse 
66 to point cursor 67 to the item selected and keying the 
mouse. 

[0025] Main memory 56 has plural hard disks 
90-1,90-2,90-3 for storing machine Operating System 
software, machine operating data, and the scanned im- 
age data currently being processed. 
[0026] When the compressed image data in main 
memory 56 requires further processing, or is required 
for display on touchscreen 62 of Ul 52, or is required by 
printer section 8, the data is accessed in main memory 
56. Where further processing other than that provided 
by processor 25 is required, the data is transferred to 
image manipulation section 53 on PWB 70-6 where the 
additional processing steps such as collation, make 
ready, decomposition, etc are carried out. Following 
processing, the data may be returned to main memory 
56, sent to Ul 52 for display on touchscreen 62, or sent 
to image output controller 60. 

[0027] Image data output to image output controller 

60 is decompressed and readied for printing by image 
generating processors 86 of PWBs 70-7, 70-8 (seen in 
Figure 5A). Following this, the data is output by dispatch 
processors 88,89 on PWB 70-9 to printer section 8. Im- 
age data sent to printer section 8 for printing is normally 
purged from memory 56 to make room for new image 
data. 

[0028] Referring particularly to Figures 5A-5C, control 
section 7 includes a plurality of Printed Wiring Boards 
(PWBs) 70, PWBs 70 being coupled with one another 
and with System Memory 61 by a pair of memory buses 
72, 74. Memory controller 76 couples System Memory 

61 with buses 72, 74. PWBs 70 include system proces- 
sor PWB 70-1 having plural system processors 78; low 
speed I/O processor PWB 70-2 having Ul communica- 
tion controller 80 for transmitting data to and from Ul 52; 



PWBs 70-3, 70-4, 70-5 having disk drive controller/proc- 
essors 82 for transmitting data to and from disks 90-1 , 
90-2, 90-3 respectively of main memory 56 (image com- 
pressor/processor 51 for compressing the image data 

s is on PWB 70-3); image manipulation PWB 70-6 with 
image manipulation processors of image manipulation 
section 58; image generation processor PWBs 70-7, 
70-8 with image generation processors 86 for process- 
ing the image data for printing by printer section 8; dis- 

10 patch processor PWB 70-9 having dispatch processors 
88, 89 for controlling transmission of data to and from 
printer section 8; and boot control-arbitration-scheduler 
PWB 70-10. 

[0029] Referring particularly to Figure 6, system con- 

15 trol signals are distributed via a plurality of printed wiring 
boards (PWBs). These include EDN core PWB 130, 
Marking Imaging core PWB 132, Paper Handling core 
PWB 134, and Finisher Binder core PWB 136 together 
with various Input/Output (I/O) PWBs 1 38. A system bus 

20 UO couples the core PWBs 130, 132, 134, 136 with 
each other and with controller section 7 while local bus- 
es 1 42 serve to couple the I/O PWBs 1 38 with each oth- 
er and with their associated core PWB. 
[0030] On machine power up, the Operating System 

25 software is loaded from memory 56 to EDN core PWB 
130 and from there to the remaining core PWBs 132, 
134, 136 via bus 140, each core PWB 130, 132, 134, 
1 36 having a boot ROM 1 47 for controlling downloading 
of Operating System software to the PWB, fault detec- 

30 tion, etc. Boot ROMs 147 also enable transmission of 
Operating System software and control data to and from 
PWBs 130, 132, 134, 136 via bus 140 and control data 
to and from I/O PWBs 138 via local buses 142. Addi- 
tional ROM, RAM, and NVM memory types are resident 

35 at various locations within system 2. 

[0031] Referring to Figure 7, jobs are programmed in 
a Job Program mode in which there is displayed on 
touchscreen 62 a Job Ticket 1 50 and a Job Scorecard 
152 for the job being programmed. Job Ticket 150 dis- 

40 plays various job selections programmed while Job 
Scorecard 1 52 displays the basic instructions to the sys- 
tem for printing the job. 

[0032] To control access to printing system 2 at a site 
and protect any sensitive data and files stored in the sys- 

45 tern memory, the security system of the present inven- 
tion is provided. When invoked, a user in order to gain 
access to printing system 2 must authenticate himself 
by a special User Identification number (User ID). 
Where a password option is enabled, the user is also 

50 required to enter his password. As will appear, a Secu- 
rity administrator assigns the User ID while the user cre- 
ates his own password when allowed to do so. 
[0033] The site, which is the business location for the 
printing system 2, has the ability to define the level of 

55 security desired. Generally, the levels of security are: 

(1) no security except for administrative functions 
controlled by either a site administrator or a security 
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administrator. These administrative functions are 
the type which require access controls to protect 
sensitive information and performance variables for 
the system. At this security level, no user would be 
required to log onto printing system and each user 
would have full access to any function available on 
the system 

(2) a partially secure site would allow User IDs to 
be assigned to some users at the Security Admin- 
istrator's discretion. This would give these users ac- 
cess to certain privileged system functions. 

(3) a fully secured site where all users are assigned 
a User ID by the Security administrator. 

(4) fully secured site with passwords would allow 
some or all users, at the discretion of the Security 
administrator, to employ their own password to con- 
trol access to the user's own files that are in the sys- 
tem. 

[0034] A Site administrator is normally provided (al- 
though one administrator may serve in both Site and Se- 
curity Administrator capacities). The Site administrator 
is considered a privileged user and as such has certain 
privileges over and above those of either a secure or 
non-secure user. The Site administrator typically estab- 
lishes the programming features and functions that the 
site will have, the system default settings, etc., and has 
shared operating functions such as billing, accounting, 
etc. 

[0035] A Security administrator is a trusted individual 
charged with the responsibility for creating and imple- 
menting the security rules of printing system 2 consist- 
ent with the security level desired by the site. In this ca- 
pacity, the Security administrator controls access to the 
programming features, administration, and service of 
printing system 2. Programming functions and features 
comprise the different level of system job programming 
choices that are made available to a user by the Site 
administrator. Security administration relates to the 
process by which security at the site is administered 
while service refers to the security that governs access 
by sen/ice or repair personnel (referred to herein as 
Tech Reps.). 

[0036] To enable the Security administrator to carry 
out his duties, the Security administrator establishes 
and maintains a User Profile for each user. The User 
Profile allows the Security administrator to establish a 
security profile for each user to whom the Security ad- 
ministrator assigns a User ID plus other security ena- 
blements such as user passwords, rights to access dif- 
ferent system programming functions, etc. depending 
upon the security level of the site. As will be understood, 
access to the user profile is limited to whatever rights 
the Security administrator has. 

[0037] Referring to Figures 8-1 2, on entering the "Ad- 
ministration" mode, there is displayed on touchscreen 
62 certain card files including a "SECURITY" card file 
200 on which are displayed "Users", "Security Profile", 



and "Access Lists" icons 201 , 202, 203 respectively. Ac- 
tuation of "Users" icon 201 causes a "User Name" file 
205 to be displayed listing the names of all users at the 
site to whom a User ID has been assigned, the user's 

s ID, and whether the user is "Active" or "Inactive". Up and 
down scrolling icons 207, 208 permit scrolling of file 205 
to allow reading of all the user names. 
[0038] Where the Security administrator desires to 
view the User Profile for a particular user, a "Users"icon 

10 210 in "Users Name" file 205 is actuated to display a 
"SYSTEM ADMINISTRATION" window 212 having 
"Open Profile", "Activate", "Delete", and "Close" selec- 
tions. Moving window 212 so that the window pointer 
21 2' is opposite the name of the user whose User Profile 

15 is to be viewed and actuating "Open Profile"displays the 
User Profile 215 for the user name selected. As shown 
in Figure 10, User Profile 215 identifies the "User Sta- 
tus", "User Name", "User ID", whether the user has a 
password or not, and the user's "Default Account". Ad- 

20 ditionally, a "Job Access Control" icon 217 and a "Priv- 
ileges" icon 21 9 are displayed. 
[0039] Selecting "Privileges" 219 displays the privi- 
leges granted to the user as shown in Figure 11 . These 
consist of"Administration", "Service", and "Feature Ac- 

25 cess". 

[0040] The Security administrator ordinarily has "Ad- 
ministration" privileges for "Security" while the Site ad- 
ministrator has privileges for "Site". Asingle person may 
have privileges for "Both". Special ID numbers prevent 
30 users from gaining access to the security and adminis- 
tration functions performed by the administrator or ad- 
ministrators. 

[0041] Referring to Figures 9,12, and 13, actuating 
"Delete" in window 212 displays a "Delete User?" win- 

35 dow 221 with "Yes" and "No" options. Actuation of "Yes 11 
deletes the current user and displays an "Assign New 
Owner" window 223 through which the Security admin- 
istrator can assign a new owner for the former user's 
jobs currently in the system if desired. For this, and re- 

40 ferring to Figures 14-15, a "Profile Options" window 225 
is opened displaying a "New User Template" selection 
226. Actuation of the "New User Template" 226 displays 
the template 228 seen in Figure 1 5 by which a User Pro- 
file 215 for the new user is created. 

45 [0042] A similar procedure is followed where a "New 
User" is to be added to the users given access to printing 
system 2. In that case, the "New User"icon 230 in "Users 
Name" file 205 (Figure 8) is actuated. 
[0043] The Security administrator may also be given 

50 the ability to set up certain user independent functions 
such as the number of attempts a user can make to lo- 
gon before lockout, minimum User ID length, minimum 
password length, etc. depending on the security level of 
the site. For this, and referring to Figures 8 and 16, the 

55 Security Profile icon 202 is actuated to display "Security 
Profile" scorecard 232 showing the current security set- 
up of the site. These include whether or not user logon 
is required ("Logon Required"), the minimum number of 
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characters in the user's ID ("Minimum User ID Length"), 
the length of a sessions ("Session Timeout"), the maxi- 
mum number of logon attempts by a user that are al- 
lowed ("Maximum Failed Logons"), if a password is re- 
quired ("Password required for"), the "Minimum Pass- 
word Length", "Password History Length", and "Pass- 
word Expiration". 

[0044] An "Activity Log" icon 235 enables the Security 
administrator to access data when auditing security rel- 
evant functions and to activate auditing functions which 
will monitor and log system data, user logon/off, access 
to secure items, power on/off, etc. Actuating icon 235 
displays an "Activity Log" scorecard 237 (Figure 1 7) with 
a series of system auditing options for monitoring the 
number of times certain activities such as "Logon/Log- 
off", etc. take place. The site security enablements such 
as "Security Configuration" are also displayed for selec- 
tion together with an option to print out a hard copy of 
the activity log ("Print Activity Log") and to reset the log 
("Reinitialize Activity Log") as shown in Figure 18. 
[0045] Referring to Figures 8 and 1 9-24, the Security 
administrator may also set up access lists grouping us- 
ers who have security access to a common file. Actuat- 
ing "Access List" icon 203 displays a card file 239 of 
names for a specific job with a selection window 240. 
As in the case of individual users discussed previously, 
the Security administrator may select a list for deletion 
(Figure 21 ), or open a list to display the members names 
(Figure 22), or remove individual members from the list 
(Figure 23), or add new members to the list (Figure 24). 
[0046] As will be understood, the set of operations 
and program selections which an user is allowed to per- 
form on a particular job or directory object is a direct 
consequence of the user's clearance. Control over ac- 
cess to jobs and data stored in printing system 2 origi- 
nates with the data creator or owner and governs the 
operations which a user is allowed to perform on files 
resident in the system. 

[0047] Referring to Figures 10 and 25, actuation of 
"Job Access Control" icon 217 displays a "Job Access 
Control" scorecard 241 allowing a user to impose secu- 
rity restrictions on the user's files or jobs that are resi- 
dent in printing system 2. The security limitations fall into 
two general classes: "COPIED and MODIFIED" and 
"COPIED" only. Each class is subdivided into: "All Us- 
ers" 242, "Job Owner" 244, "Access List" 246, and 
"None" 248. "All Users" allows anyone to modify and/or 
copy the user's jobs, "Job Owner" allows only the job 
owner to modify and/or copy the user's jobs, "Access 
List" lists the names of users who are allowed to modify 
and/or copy the user's jobs, and "None" prevents any- 
one, including the job owner, from modifying and/or cop- 
ying the user's jobs. 

[0048] Tech Reps have their own security protection 
in the form of a Tech Rep ID number which is assigned 
either when printing system 2 is manufactured or when 
system 2 is installed. The Tech Rep ID number can be 
used to control down to the work support group level or 



any other service control level desired. 
[0049] Once the Tech Rep ID number is assigned, the 
service organization to which the Tech Rep belongs can 
assign a password to protect both the service organiza- 

5 tion and the site by limiting access to only Tech Reps 
who have the correct password. The Tech Rep pass- 
word can be changed at any time by the service organ- 
ization. Further the service organization can assign spe- 
cial Tech Rep passwords to each site to further enhance 

10 site and/or the service organization security require- 
ments. 

[0050] Additionally, the service organization can also 
assign advanced levels of servicing access to selected 
personnel at individual sites. Typically this would be to 

is site personal who have attended special training cours- 
es enabling them to perform more difficult and complex 
service operations on printing system 2 than the typical 
user would be able to do. The Site administrator normal- 
ly would decide the site personal to be selected for this 

20 purpose with the Security administrator controlling spe- 
cial service access rights through "Service" selection 
under "PRIVILEGE" as shown in Figure 11. 
[0051] While files are protected through the password 
mechanism and/or by the ability of a user to decide the 

25 appropriate access rights of others to the user's files as 
described, the operator also has the ability to assign a 
security label to a file. To enable the use of security la- 
bels, the system described and claimed in copending 
application SN 07/590633, filed on Sept. 28, 1990 (cor- 

30 responding to EP-A-0 478 335), entitled "Process For 
Merging Logos With Prints Produced By Electronic 
Printing Machines" in the names of Hengst et al (Attor- 
ney Docket No. D/89288) may be used for this purpose. 
A folder for security labels is stored in the system Merge 

35 Library into which the operator places his security label 
(s). In doing so, the user can identify the location of the 
security label on the page and the page side on which 
the security label is to appear. Printing system 2 assures 
that once selected, the user's file will never be displayed 

40 on touchscreen 62 or printed by printer section 8 without 
the security label selected by the user being present. In 
addition, printing system 2 provides the operator with 
the option of placing the security label in the background 
of the image displayed on touchscreen 62 or printed by 

45 printer section 8. This prevents anyone from removing 
the label since the security label will appear associated 
directly with the image itself. 

[0052] In addition to security labels, printing system 2 
provides the capability of printing other label types such 

50 as labels with an automatic date-time stamp along the 
edge or edges of the image displayed or printed.a label 
identifying the site of the printing system making the 
prints, a label identifying the image owner, etc. 
[0053] Referring to Figure 26, while a security system 

55 internal to a printing system 2 has been shown and de- 
scribed, control over the security of one or more sites 
may be established from a remote site, referred to here- 
in as security center 300. Center 300 is coupled to the 
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printing system site or sites by a communication channel 
305 such as a telephone wire. An external data base or 
memory 308 at security center 300 serves as a storage 
medium for the users' User Profiles 21 5 and ID numbers 
following establishment by the Security administrator. 
The users individual passwords are stored in the internal 
data base or memory 56 of the printing system that is 
used by the user. 

[0054] In order to gain access to one or more of the 
printing systems 2, the user enters his user ID number 
and password using keyboard 64. The user ID number 
is transmitted via channel 305 to the external data base 
308 where a comparison is made with the user ID num- 
bers held in data base 308. Where the user ID number 
entered at the site by the user matches a number held 
in data base 308, an authentication signal is sent via 
channel 305 to the printing system controller section 7, 
authenticating the user. Concurrently, the password en- 
tered by the user is compared with passwords held in 
the system internal data base and where a match is 
found, a second authentication signal is generated and 
sent to controller section 7 of the printing system. On 
receipt of user authentication, controller section 7 ena- 
bles the user to access the printing system. 



Claims 

1. Security process for an electronic reprographic 
printer, comprising the steps of: 

a) providing a security administrator; 

b) providing a security profile with discrete se- 
curity levels for different classes of users under 
the control of said security administrator; 

c) giving said administrator power to 

1) assign user identification numbers, and 

2) enable use of passwords by said users; 

d) providing user file security by assigning a 
non-removable security label to a user's files 
which prevents printing or displaying of said 
files without said security label; 
characterized in that 

in step c), user identification numbers are 
assigned at less secured sites and use of 
passwords by said users is enabled at 
more secure sites; 

in step d), the non-removable security label 
is assigned by said users; 

and in that said security process comprises the 



further steps: 

e) providing a site administrator; 

5 f) giving said site administrator control over us- 

er job programming options for said printer; 

g) isolating functions of said site administrator 
from user functions by assigning special iden- 

10 tification number and password to said site ad- 

ministrator to prevent users from accessing 
said site administrator functions; and 

h) providing user file security by enabling users, 

15 

1 ) to protect user files by user passwords, 
and 

2) to limit access of others to user files. 

20 

2. The process according to claim 1 including the step 
of: 

providing user file security by limiting user ac- 
25 cess to printer programming features. 

3. The process according to claim 1 including the step 
of: 

30 providing user file security by restricting user 

access to printer programming features that al- 
low only moving or changing of files. 

4. The process according to claim 1 including the step 
35 of: 

restricting access to complex printer program- 
ming features to avoid printer downtime. 

40 5. The process according to claim 1 including the step 
of: 

restricting user access to pre-selected printer 
programming features to reduce personal use 
45 of printer. 

6. An electronic printing system having programming 
means enabling a user to program instructions for 
print jobs; a source of image signals; memory 
50 means for storing said print jobs together with said 
image signals; and a printer for producing prints 
from said image signals in accordance with said in- 
structions, 
characterized by 

55 

a) system lockout means for controlling pro- 
gramming of print jobs on said system, said 
lockout means being responsive to input of a 
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preset user identification number and user 
name to permit said user to program instruc- 
tions for print jobs; 

b) first means to limit the source of said identi- s 
fication number to a preset identification 
number source for said system, said first 
means enabling said source to assign special 
identification numbers to users enabling identi- 
fied users to program instructions for print jobs 10 
on said system; 

c) second means to allow at least some of said 
users to provide personal user passwords to 
limit access of others to a user's print jobs in is 
said memory means; and 

d) third means to allow individual users to limit 
the ability of other users having access to said 
individual users' print jobs to change said print 20 
jobs following access. 

Patentanspruche 

25 

1. Verfahren zum Schaffen von Sicherheit fur eine 
elektronische reprografische Druckvorrichtung, 
umfassend die Schritte: 

a) zur Verfugung stellen eines Sicherheitsad- 30 
ministrators; 

b) zur Verfugung stellen eines Sicherheitspro- 2. 
fils mit diskreten Sicherheitsniveaus fur ver- 
schiedene Klassen von Benutzern unter der 3$ 
Verwaltung des Sicherheitsadministrators; 

c) Ausstatten des Administrators mit der Er 
machtigung 

1) Benutzeridentifikationsnummern zuzu 
weisen, und 

2) den Benutzern eine Verwendung von 
PaBwortern zu ermoglichen; 45 

d) zur Verfugung stellen eines Benutzerdatei- 
schutzes durch Zuweisen einer nichtentf ernba- 
ren Schutzmarkierung zu Dateien eines Benut- 

zers, was ein Drucken oder Anzeigen der Da- so 4. 
teien ohne Schutzmarkierung verhindert; 
dadurch gekennzeichnet, daft 

in Schritt c) Benutzeridentifikationsnum- 
mern an weniger gesicherten Standorten ss 
zugewiesen werden und die Verwendung 
der PaBworter durch die Benutzer an si- 
chereren Orten ermoglicht wird; 5. 



40 

3. 



in Schritt d) die nichtentfernbare Schutz- 
markierung durch die Benutzer zugewie- 
sen wird; 

und daB das Verfahren zum Schaffen von Si- 
cherheit die weiteren Schritte aufweist: 

e) zur Verfugung stellen eines Standortadmini- 
strators; 

f) Zuweisen der Verwaltung von Benutzerjob- 
programmieroptionen fur die Druckvorrichtung 
an den Standortadministrator; 

g) Isolieren von Funktionen des Standortadmi- 
nistrators von Benutzerfunktionen durch Zu- 
weisen spezieller Identifikationsnummern und 
PaBworter an den Standortadministrator, so 
daB verhindert wird, daB Benutzer auf die 
Standortadministratorfunktionen zugreifen; 
und 

h) zur Verfugung stellen eines Benutzerdatei- 
schutzes, dadurch daB den Benutzern ermog- 
licht wird, 

1) Benutzerdateien durch PaBworter zu 
schutzen, und 

2) den Zugriff von anderen auf die Benut- 
zerdateien einzuschranken. 

Das Verfahren nach Anspruch 1, umfassend den 
Schritt: 

zur Verfugung stellen eines Benutzerdatei- 
schutzes durch Einschranken des Benutzerzu- 
griffs auf die Druckvorrichtungsprogrammier- 
merkmale. 

Das Verfahren nach Anspruch 1, umfassend den 
Schritt: 

zur Verfugung stellen eines Benutzerdatei- 
schutzes durch Beschranken des Benutzerzu- 
griffs auf Druckvorrichtungsprogrammier- 
merkmale, die ein Verschieben oder Andern 
von Dateien ermoglichen. 

Das Verfahren nach Anspruch 1, umfassend den 
Schritt: 

Beschranken des Zugriffs auf komplexe Druck- 
vorrichtungsprogrammiermerkmale, urn eine 
Stillstandzeit der Druckvorrichtung zu vermei- 
den. 

Das Verfahren nach Anspruch 1, umfassend den 
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Schritt: 

Beschranken des Benutzerzugriffs auf voraus- 
gewahlte Druckvorrichtungsprogrammier- 
merkmale, urn den personlichen Gebrauch der s 
Druckvorrichtung zu verringern. 

6. Ein elektronisches Drucksystem mit einer Program- 
miereinrichtung, die einem Benutzer ermoglicht, 
Anweisungen fur Druckjobs zu programmieren; ei- 10 
ne Bildsignalquelle; eine Speichereinrichtung zum 
Speichern der Druckjobs zusammen mit den Bild- 
signalen; und eine Druckvorrichtung zum Erstellen 
von Druckerzeugnissen aus den Bildsignalen ge- 
maB den Anweisungen, *s 
gekennzeichnet durch 

a) eine Systemsperreinrichtung zum Steuern 
der Programmierung von Druckjobs auf dem 
System, wobei die Sperreinrichtung auf Einga- 20 
be einer voreingestellten Benutzeridentifikati- 
onsnummer und eines Benutzernamens so an- 
spricht, daB dem Benutzer ermoglicht wird, die 
Anweisungen fur Druckjobs zu programmieren; 

25 

b) eine erste Einrichtung zum Einschranken der 
Quelle der Identifikationsnummer auf eine vor- 
bestimmte Identifikationsnummernquelle fur 
das System, wobei die erste Einrichtung der 
Quelle ermoglicht, spezielle Identifikations- 30 
nummern an Benutzer zuzuweisen, wobei 
identifizierten Benutzern ermoglicht wird, die 
Anweisungen fur Druckjobs auf dem System zu 
programmieren; 

35 

c) eine zweite Einrichtung, die es wenigstens 
einigen der Benutzer ermoglicht, personliche 
BenutzerpaBworter zu vergeben, um den Zu- 
griff anderer auf Druckjobs eines Benutzers in 
der Speichereinrichtung einzuschranken; und 40 

d) eine dritte Einrichtung, die es individuellen 
Benutzern ermoglicht, die Moglichkeit anderer 
Benutzer, auf die Druckjobs der individuellen 
Benutzer zur Anderung der Druckjobs nach 45 
dem Zugriff, einzuschranken. 

Revendicatlons 

50 

1. Procede de securite pour une imprimante reprogra- 
phique 6lectronique, comprenant les etapes con- 
sistant k : 

a) fournir un administrateur de s6curit6 ; 55 

b) fournir un profil de security comportant des 
niveaux de securite discrets pour differentes 



classes d'utilisateurs sous la commande dudit 
administrateur de securite ; 

c) donner audit administrateur le pouvoir de 

1) affecter des numeros d'identifications 
utilisateur, et 

2) permettre I'utilisation de mots de passe 
par lesdits utilisateurs ; 

d) procurer la securite du fichier utilisateur en 
affectant une Etiquette de securite non enleva- 
ble au fichier utilisateur qui empeche I'impres- 
sion ou I'affichage desdits fichiers sans ladite 
etiquette de security ; 

caracterise en ce que 

k I'etape c), les numeros d'identification 
d'utilisateur sont affect6s k des sites moins 
sur et I'utilisation des mots de passe par 
lesdits utilisateurs est activee k des sites 
plus surs ; 

dans l'6tape d), I'&iquette de securite non 
enlevable est affect6e par lesdits 
utilisateurs ; 

et en ce que ledit proc6d6 de s6curit6 com- 
prend les 6tapes supplementaires consis- 
tant k : 

e) fournir un administrateur de site ; 

f) donner audit administrateur de site la com- 
mande sur les options de programmation de 
travaux pour ladite imprimante ; 

g) isoler les fonctions dudit administrateur de 
site des fonctions de I'utilisateur en affectant un 
num6ro d'identification special et un mot de 
passe special audit administrateur de site pour 
emp§cher les utilisateurs d'acceder auxdites 
fonctions d'administrateur de site ; et 

h) procurer une security de fichier utilisateur en 
permettant aux utilisateurs, 

1) de prot6ger les fichiers utilisateur par 
des mots de passe utilisateur, et 

2) de limiter I'acc&s des autres personnes 
au fichier d'utilisateur. 

2. Proc6d6 selon la revendication 1 , incluant I'etape 
consistant k : 

procurer une security de fichiers utilisateur en 
limitant I'acces par les utilisateurs aux options 
de programmation de I'imprimante. 

3. Proced6 selon la revendication 1 , incluant I'etape 
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consistant k : 

procurer une securite des fichiers utilisateur en 
limitant I'acces par les utilisateurs aux options 
de programmation d'imprimante qui permettent 5 
seulement le deplacement ou le changement 
des fichiers. 

4. Proced6 selon la revendication 1 , incluant I'Stape 
consistant k : 10 

limiter I'acces aux options de programmation 
d'imprimante complexe pour 6viter les temps 
d'arret de I'imprimante ; 

15 

5. Proc6d6 selon la revendication 1, incluant I'Stape 
consistant k : 

limiter I'acces aux utilisateurs a des options de 
programmation d'imprimante pr6selectionn6es 20 
pour reduire F utilisation personnelle de rimpri- 
mante. 

6. Systeme d'impression electronique comportant un 
moyen de programmation permettant k un utilisa- 2s 
teur de programmer des instructions pour des tra- 
vaux impression ; une source de signaux d'image ; 

un moyen de mSmoire pour m&noriser lesdits tra- 
vaux impression en meme temps que lesdits si- 
gnaux d'image ; et une imprimante pour produire 30 
les impressions k parti r desdits signaux d'image en 
conformity avec lesdites instructions, 
caract6ris6 par 

a) un moyen d'attribution exclusive de ressour- 35 
ces du systeme pour commander la program- 
mation des travaux impression ledit systeme, 
ledit moyen d'attribution exclusive de ressour- 

ce 6tant sensible a une entree d'un numero 
d'identification d'utilisateur preetabli et d'un 40 
nom d'utilisateur pour permettre audit utilisa- 
teur de programmer des instructions pour les 
travaux k imprimer ; 

b) un premier moyen pour limiter la source dudit 
numero d'identification k une source de nume- 45 
ro d'identification pr66tabli pour ledit systeme, 
ledit premier moyen permettant a ladite source 
d'affecter des numeros d'identification sp6- 
ciaux aux utilisateurs permettant aux utilisa- 
teurs identifies de programmer des instructions so 
pour les travaux d'impression sur ledit 
systeme ; 

c) un second moyen pour permettre au motns 
a ceirtains desdits utilisateurs de delivrer des 
mots de passe d'utilisateur personnels pour li- ss 
miter I'acces des autres aux travaux d'impres- 
sion de I'utilisateur dans ledit moyen de 
memoire ; et 



d) un troisieme moyen pour permettre aux uti- 
lisateurs individuels de limiter ('aptitude des 
autres utilisateurs, comportant I'acces auxdits 
travaux d'impression d'utilisateur individuel de 
changer lesdits accSs aux travaux d'impression 
suivants. 
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